The attackers may have gained access to the accounts using social engineering, according to security experts.
The attackers may have gained access to the accounts using social engineering, according to security experts.

U.S. Central Command confirmed to SCMagazine.com that two of its social media accounts were hacked on Monday afternoon.

“We can confirm that the CENTCOM Twitter and YouTube accounts were compromised earlier today,” a Central Command spokesperson said. “We are taking appropriate measures to address the matter. We have no further information to provide at this time.”

Both accounts have since been taken offline, but not before the hackers – who seem to be supporters of the Islamic State – tweeted out threatening messages and links to military documents, according to a report by The Washington Post.

Ian Amit, vice president of ZeroFOX, said in a Monday email that all of the military documents are actually public domain, and the attackers repackaged the documents to look as though the data came from a real breach.

“These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access,” Amit said. “In truth, they likely only stole a password, either through a phishing scam or a brute-force attack.”

In a Monday email correspondence, Trey Ford, global security strategist with Rapid7, told SCMagazine.com that the attackers could have scouted ahead and then used social engineering to trick someone into giving out credentials.

“On account investigations, I have routinely found community managers and social media/marketing folks tying their personal Gmail accounts to corporate personas,” Ford said, going on to add, “Taking control of the right user's email would allow attackers to reset the corporate Twitter account password.”

Tweets started being posted from the @CENTCOM Twitter account around 12:30 p.m. on Monday, according to The Washington Post, which posted images that show one message as saying, “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” The Twitter profile photo and the backgrounds for both accounts were also changed, showing the term: “CyberCaliphate.”

Last week, tweets and images in support of the Islamic State – and including the term CyberCaliphate – appeared on the Twitter feeds of the Albuquerque Journal, CBS and Fox affiliates in Delmarva, Maryland, and a station in Tennessee.

“This attack looks to be the same actors as the WBOC and ABQJounral attacks last week,” Amit said. “The verbiage is the same, the behavior is the same, the hashtags are the same – all indicators suggest this is the same group.”

Ford noted that document dumps in the Sony hack were laced with malware, and that the documents in this instance may be part of a malware campaign targeting military analysts and their families.